I was working on a recent issue in which Windows Azure based Web Role was keep recycling from initializing to busy, aborted etc state. The application event logs shows the following error:


Microsoft.WindowsAzure.ServiceRuntime Critical: 1 : Unhandled Exception:
System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Filename: \\?\E:\sitesroot\0\web.config
Line number: 158
Error: The 'validation' attribute is invalid. Enum must be one of MD5, SHA1, 3DES, AES



Here are a few key scenario with this problem occurred:

 - Windows Azure Web Role with .NET 4. 

-  In .NET 4 the default encryption type for machine key is HMACSHA256 so for .net 4 based web role the following is set automatically in web.config:

 - Actually IIS does support HMACSHA256 based machine key validation however the problem is realted with IISConfigurator.exe which runs after the web role (WaIISHost.exe) process start to configure IIS site before stating the w3wp process.

<machineKey validation="HMACSHA256" />

- IF you look at IISConfigurator logs, you will see that the exception itself is coming from IISConfigurator.exe:

IISConfigurator Information: 0 : [03/28/11 06:01:44.76] Exception:System.Runtime.InteropServices.COMException (0x8007000D): Filename: \\?\E:\sitesroot\0\web.config
Line number: 52
Error: The 'validation' attribute is invalid. Enum must be one of MD5, SHA1, 3DES, AES
at Microsoft.Web.Administration.Interop.AppHostWritableAdminManager.GetAdminSection(String bstrSectionName, String bstrSectionPath)
at Microsoft.Web.Administration.Configuration.GetSectionInternal(ConfigurationSection section, String sectionPath, String locationPath)
at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.WasManager.SetupMachineKeys(String siteName, ServerManager serverManager, String roleGuid)
at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.WasManager.DeploySite(String roleId, WASite roleSite, String appPoolName, String sitePath, String iisLogsRootFolder, String failedRequestLogsRootFolder, List`1 bindings, List`1 protocols, FileManager fileManager, WAAppPool defaultAppPoolSettings, String roleGuid, String& appPoolSid, List`1 appPoolsAdded)
at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.IISConfigurator.Deploy(String roleId, WebAppModel appModel, String roleRootDirectory, String sitesDestinationDirectory, String diagnosticsRootFolder, String roleGuid, Dictionary`2 globalEnvironment)

- So the problem is actually related with IISConfigurator.exe process which cough the error that it does not support HMACSHA256 and cause web role to stuck in infinite recycling loop.


Note: According to the document here, validation algorithm can be HMACSHA256 and some other values, but the error message says it must be one of MD5, SHA1, SDES, AES.


As you may know to solve this problem you just need to modify the machine key validation setting to SHA1 as below:


<machineKey validation="SHA1" />